Cisco VPN :: 5510 Possible To Define Static Crypto Map With VIP Of Load Balanced Group

Aug 17, 2011

We have two Cisco ASA 5510 Firewalls at one site, and two non-Cisco firewalls at another. Both firewall pairs are configured for high availability (Active-Passive), and both have redundant links to the Internet via routers running HSRP. In the event that one of the Internet routers were to fail, we require the VPN to dynamically move from using the old path via the failed router to using the new router with minimal downtime.
 
I have been looking at using VPN load balancing to achieve this but the only configuration example I can find is for Cisco VPN Client url... Is it possible to define a static crypto map with the VIP of the load balanced group as the peer IP? So in the non-Cisco devices I will define the VIP of the load balanced group?

View 1 Replies


ADVERTISEMENT

Cisco :: 3945 Router Power Supplies Load Balanced By Default?

Dec 5, 2012

CISCO 3945 Routers - Are the 3945 Router power supplies load balanced by default?  We are trying to determine if our switch/server rack at our remote location has maxed out it's power load requirements.  I just need to know if the 3945 power supplies load balance by default or if the redundant power supply is ON but not really providing the router with power and is just there incase the other power supply fails .

View 3 Replies View Related

Cisco Routers :: RV220W V1.0.2.4 Remote Management / Load Balanced Proxy Fail?

Sep 26, 2011

I just purchased 5 RV220W to act as internet/wireless router at a remote site. There is no VPN, just LAN and Wireless routing to the internet.I have setup remote management and it works fine when I am directly connected to the internet. However, everytime I try to connect through our HTTP/HTTPs proxy farm, it usually fails. Specificially, I get the log-in page and can log in. It starts to render the landing page but redirects to a page stating "Your session has been terminated." On rare instances the first page will appear, however within a few clicks I end up with the same terminated page.
 
As a test, I bypassed the farm and forced my browser to use one proxy exclusively. At that point I could access the HTTPS interface with no issue. I have not had any issues with other SSL sites with the proxy configuration in use.Is there some sort of MITM prevention I could be running into? If so, can it be turned off.I am new to the RV-series of routers. Is there any logging I could turn on that would provide insight on why the session may be getting terminated?

View 2 Replies View Related

Cisco Application :: ACE 4710 Multiple Services Running On Load Balanced Servers

Jan 30, 2012

Our Exchange 2010 hub servers run multiple services/ports:  smtp, www, pop3,135, 143, https, 993, 995, 6001,6002,6003,60200,60201,8400, and 8402 what is the best way of balancing these servers so that if only one of the services failed on a server, it would switch only the failed service to remaining servers. At present I only use an smtp probe, so as log as that sevrice is running the server is marked good.

View 3 Replies View Related

Cisco VPN :: 1800 - Static Crypto Configuration

Sep 3, 2012

I ahve a requirement to configure static crypto for 1800 site and I need to configure on two sepaarte interfacs at spoke site which means I need to configure 1800*2 = 3600 peers at central site. The challenge I have is due to load balancing , the traffic dynamic crypto can not be used since traffic may be initiated from Dc on other link which may get dropped incase not encrypted.

View 5 Replies View Related

Cisco Firewall :: ASA 5510 Needs Crypto Keep Regenerated

Sep 11, 2012

I have a ASA 5510 that has something weird going on I have just added a base config where you can access on a inside interface but for some strange reason after I disconnect i have to ping inside interface first before I can connect via telnet or SSH and then regenerate therecrypto key

View 3 Replies View Related

Cisco Switching/Routing :: 881-K9 Load Balancing And Static NAT

Dec 3, 2012

i'm going to configure a 881-k9 with:

- Ethernet 0/0 LAN (Private Address)
- Ethernet 0/1 ISP1 (Public Address 1)
- Ethernet 0/2 ISP2 (Public Address 2)
  
find some configuration example to:

- have load balancing over the two ISP connection, used to connect to Internet

- configure Static NAT to bind:
- TCP 443
- TCP 1723on ISP1 e ISP2 Interface to a LAN Address (SBS2008 Server)

View 7 Replies View Related

Cisco WAN :: 1841 Unequal Load Balance With Static Routes

Oct 3, 2011

I have a 1841 router attached to 2 ISP's. Each ISPs provides different bandwithd. I want to do load balance between them, but I want to do some sort of weighted load blance, so as to assign more traffic to one ISP than the other. A kind of 70/30 (70% of traffic via ISP1, and 30% of traffic via ISP2).Is there a way to acomplish that? I already tried creating bogus /32 routes, but "cef" seems to be more clever and groups the bogus routes as one gw.

View 12 Replies View Related

Cisco WAN :: 12416 Configure Static Route Load Balancing

May 14, 2011

I got an issue when configure my 12416 router.
    
I plan to configure Static route load-balancing, which just assign different administraive distance to static routes.The route with lower distance is preferred. For example, if ISP A is our primary Internet provider the default  route may be configured with a distance of 1 (all static routes are assigned this administrative distance) and the default route through ISP B may be configured with a distance of 100. In that case the default route through ISP B will be used if only the route through ISP A becomes unavailable.

But when I trying to configureWith Enhanced Object Tracking  to do the route failover (a generic track object can monitor presence of an ip route, state of an SLA), I found my IOS not support such Track command. [code]

View 2 Replies View Related

Cisco VPN :: 5510 - Authenticate One User In Only 1 Group?

Oct 20, 2011

I have two tunnel groups using WEBVPN , I have local users at ASA 5510 version 7.2.

How can I authenticate one user in only one group?Now with local users I can loggin in both tunnel groups

View 1 Replies View Related

Cisco Firewall :: DNS Server Group On ASA 5510

Apr 5, 2011

I can not have "dns server-group" on my asa 5510, could you tell me how to get this command in my ASA 5510.

View 3 Replies View Related

Cisco Switching/Routing :: Static Load Balancing On 3650-X IP Base?

Nov 22, 2011

Does 3650-X IP Base support Static Load Balancing or i should upgrade to ip service SW ?

View 4 Replies View Related

Cisco WAN :: 2921 - Two Default Static Routes With Correct Load Sharing

Mar 26, 2012

I have a internet router 2921  .my isp is providing 100 mbps internet link with static public ip network .I am using a default static route to the isp wan ip .I am planning to  upgrade 100 mbps to 114 mbps .Unfortunately my isp doesnt  have gig port in their side .So they are ready to provide two 57 mbps line .Isp agreed they will route my public ip networks in  both the links .
 
As a result i have two 54 mbps link with same network with two wan networks .My question is whether two default static route to both wan ip will carry out the load sharing correctly ?
 
Eg :

172.24.66.0 255.255.255.252    -first  link  my fa0/1 172.24.66.1
172.24.66.4 255.255.255.252 -second link  my fa0/2 172.24.66.5
 ip route 0.0.0.0 0.0.0.0 172.24.66.2
ip route 0.0.0.0 0.0.0.0 172.24.66.6

View 12 Replies View Related

Unequal Cost Path Load Balancing With Static Routes?

Jul 20, 2011

Can it be done? Load balancing across static routes with different administrative distance? Like EIGRP.

View 9 Replies View Related

Cisco VPN :: Specific Tunnel-group With User On ASA 5510?

May 13, 2011

I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
 
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
 
and i have user around 20 user and i want to specific user to tunnel-groups like this
 
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
 
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
 
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
 
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01  password DDD01
 
So, How can i manag tunel-groups with user?

View 3 Replies View Related

Cisco VPN :: ASA 5510 - Group Policy In IPSEC Remote?

Nov 20, 2012

I have configured ASA 5510 With IPsec Remote VPN.With local database users(Users are created in ASA).
 
Internal network has 4 VLANS. Need solution for below.
 
There are 25 Users created in ASA. where only 5 tp 6 users wants to grant access to Particualr IP and Subnets and rest of the users can access entire lan.
 
Is it possible to configure Group policy in ASA for IPsec Remote VPN.

View 1 Replies View Related

Cisco VPN :: ASA 5510 / Create Different Group With VPN Remote Access

Apr 7, 2011

Last time, i´ve implemented a Remote Access VPN to my network with ASA 5510 I´ve allowed to my VPN an acces to all my Internal LAn But i want to configure a group of vpn  in the CLI for have different group of user which can access to different server or different network on my LAN.
 
Example : informatique group------access to 10.70.5.X   Network
                Consultor group -------- access to 10.70.10.X Network
 
I need to know how can i do that , and if you can give me some eg script for complete this Here is my configuration :
 
ASA Version 8.0(2)!hostname ASA-Vidruldomain-name vidrul-ao.comenable password 8Ry2YjIyt7RRXU24 encryptednamesdns-guard!interface Ethernet0/0 nameif outside security-level 0 ip address X.X.X.X 255.255.255.X!interface Ethernet0/1 nameif inside security-level 100 ip address  X.X.X.X 255.255.255.X!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 description Port_Device_Management nameif Management security-level 99 ip address  X.X.X.X 255.255.255.X management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS domain-name vidrul-ao.comaccess-list 100 extended

[code]....

View 2 Replies View Related

Cisco VPN :: ASA 5510 - Group-Lock Not Working With Web VPN And RADIUS Authentication

May 16, 2013

I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.

WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing. From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.

View 4 Replies View Related

Cisco Security :: ASA 5510 Object-group And Range Option

Feb 6, 2013

I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements.  The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs:  object network REMOTE range 62.77.130.14 62.77.130.208.Both ASAs have the same image ver (asa842-k8).  Is there something that I am missing to be able to enable the range option on the new ASA?

View 2 Replies View Related

Cisco WAN :: 5510 Syslog ID 305005 No Translation Group Found

Dec 13, 2011

I have seen a few of these 305005 threads and they're usually related to NAT and resolved quickly. I have poked around a little, but can't seem to get it right. I'm using the Real-Time Log Viewer in my ASA 5510 and see lots of these 305005 errors between VPN clients and a server. Packet Tracer says it's being stopped at the PAT_POOL dynamic traslation to pool 1. I'm not solidly sure of what to change. [code]

View 9 Replies View Related

Cisco Firewall :: 5510 No Translation Group Found Error

May 31, 2011

I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
 
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a  No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Pools / Group Authentication?

Apr 8, 2011

can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any

View 3 Replies View Related

Cisco VPN :: 5510 - Separate RADIUS Profiles For SSLVPN Group

Sep 11, 2012

We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
 
1. Employees and clients will access the URL
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
 
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.

View 4 Replies View Related

Cisco Firewall :: Object Group Network Limit With Asa 5510

Oct 29, 2012

We have Cisco ASA 5510, I am about to add another 2 Objectgroup network  groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
 
Also are there any other things to keep in mind before i go-ahead with this huge object group?

View 3 Replies View Related

Cisco Firewall :: 5510 - No Translation Group Found For UDP Src Inside

Jan 10, 2013

I have seen many of these errors lately.  We have just moved to a new office and I have basically only assigned a new IP to the outside interface.
 
[code]....

View 6 Replies View Related

Cisco Infrastructure :: 7600 - ATM-SPA Ps368 To Define Ubr Service

Apr 4, 2011

I am trying to define a ubr+ service class on PVC for an ATM -SPA (4xOC3 ATM SPA ) but I cannot, I can only implement ubr. According to this link I read that ubr+ is only supported on SVCs. URL
 
The IOS of my 7600 device is 12.2 (33)SRE2. What I would like to know is there is any other IOS that supports ubr+ under PVCs.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Authenticate Users Of Specific LDAP Group

Apr 19, 2010

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510

View 12 Replies View Related

Cisco Wireless :: 1550AP - Define Area Without WLAN Coverage?

Nov 4, 2012

i have an Outdoor Area covered by Cisco Wireless LAN Solution (WCS,WLC,1550AP root and Mesh lightweight). I need to disable power transmission for some of these APs in the 2..4GHz.I tried two possible way, but both are not working:
 
1) Set the power of 802.11g/g/n to 0. There is no such option (power can be set manually from 1 to 5 and, as per the documentation, each level is a reduction of 3dB.  Therefore, even if i put to the minimum, i cannot guarantee that there is no utilization of the 2.4GHz spectrum).
 
2) Define an AP group containing these APs and don't add any SSID. Is not possible because at least one SSID must be added on each AP group.
 
Working solution/setting in AP/WLC/WCS to avoid transmission in 2.4GHZ? Otherwise the only solution is to power them off?

View 4 Replies View Related

Cisco VPN :: ASA 5500 Firewall - Define Another Peer IP For Site2site VPN Connection

Oct 4, 2011

I have a ASA 5500 series firewall and need to define another peer ip for site2sitevpn connection.Actually my aim is, ASA tries first peer ip of site2site tunnel, when ASA can not not reach this ip, try to reach another ip which i defined before.I can configure this scenario on Cisco Router with this commands:

crypto map to hub 1 ip sec-isakmp

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 5510 Assigning A User Group Using RSA Secure ID RADIUS Server

Feb 3, 2007

We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?

View 11 Replies View Related

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

Cisco VPN :: Load Balancing ASA 5510

Sep 13, 2011

Currently we have deployed site to site vpn between 2 asa 5510 model. one is corporate site and one is remote site. now we plan to use radware load balancer in which 2 isp will terminate. now if at a remote site wecreate only 1 ipsec tunnel and mention sigle isp peering. if one isp fails at corporate how remote site will be access by site to site vpn through 2 isp vpn. what thing we need to do over asa as well as load balancer at both end.

View 6 Replies View Related

Cisco Firewall :: CPU Load ASA 5510 V. 8.4(4).1

Apr 26, 2013

Currently, we are monitoring a Cisco ASA which is running Software version 8.4(4).1. It is showing high cpu load (reaching 90%) at some hours, and our client (who is the owner) has asked us to troubleshoot this issue, since this is not a normal operating condition for the ASA.
 
We have checked over many forums and documents about "high cpu related to Dispatch Unit process", but we still don't know where to begin, and what steps we could recommend to our client. I have uploaded an archive, where I have extracted these outputs:
 
-show processes cpu-usage sorted non-zero
-show memory
-show service-policy global
-show interface
-show run threat

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved